From 51b933c5f011c9c195f9bfcfe3c5a8594f33ae82 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 11 Mar 2017 23:58:52 +0900 Subject: [PATCH] src: Use "Modern compatibility" ciphers by default --- src/ssl.h | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/src/ssl.h b/src/ssl.h index 23c71fa9..691748e9 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -45,8 +45,8 @@ public: LibsslGlobalLock &operator=(const LibsslGlobalLock &) = delete; }; -// Recommended general purpose "Intermediate compatibility" cipher -// suites by mozilla. +// Recommended general purpose "Modern compatibility" cipher suites by +// mozilla. // // https://wiki.mozilla.org/Security/Server_Side_TLS // @@ -68,16 +68,10 @@ constexpr char DEFAULT_CIPHER_LIST[] = #ifdef TLS1_3_TXT_AES_128_CCM_8_SHA256 TLS1_3_TXT_AES_128_CCM_8_SHA256 ":" #endif // TLS1_3_TXT_AES_128_CCM_8_SHA256 - "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-" - "AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-" - "SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-" - "AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-" - "ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-" - "AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-" - "SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-" - "ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-" - "SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-" - "SHA:DES-CBC3-SHA:!DSS"; + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-" + "CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-" + "SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-" + "AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION; #ifdef TLS1_3_VERSION